From Bank Information Security
May 26, 2009 – Linda McGlasson, Managing Editor
Here are 13 of the most prevalent ruses
#1 — Credit Bust-Out Schemes By definition, credit bust-out schemes are a combination of a credit and fraud problem, although many organizations are not always sure where the losses sit – or who might be the party responsible. How it works: According to Michael Smith, manager of the Fraud and Market Planning division at Lexis Nexis, consumers apply for credit from lenders using similar last names, oftentimes Eastern European or Balkan, in an intentional effort to capture financial access vehicles to cause delinquency.
#2 — Customer Loan Account Takeover
This type of fraud occurs online, and a recent case study related by Avivah Litan, distinguished analyst at Gartner Group illustrates how customer loan account takeover happens.
#3 — Corporate Account Takeovers
Corporate account takeovers are becoming more prevalent says Gartner’s Litan. “Corporate banks are reporting that criminals are targeting their cash management customers and moving money out of their accounts via innocent consumer accounts,” she says. The owners fall for phishing e-mails that promise lucrative commissions for participating in the schemes
#4 – Cross-Channel Call Center/Online CD Purchase Scam
A fraudster purchases multiple CDs online from one bank, funded by ACH Transfers from multiple compromised third-party accounts at other institutions, says Ori Eisen, former worldwide fraud director for American Express. How it happens: The perpetrator contacts the Call Center within 48 hours of the CD purchases to cancel the CDs and transfers the funds to yet another institution to liquidate. “Variable email addresses are used in an effort to mask identity,” Eisen says. “Current procedures and safeguards at most financial institutions may not preclude the success of this type of cross-channel attack.”
#5 — Wire Fraud Account Grooming
Financial institutions are exposed to very high levels of risk within their online wire transfer processes. “Traditional methods of detection are very labor intensive, yielding high false positive rates and low recovery of stolen funds,” Eisen says.
#6 — In-Session Phishing
How it happens: Utilizing a host website that has been injected with malware acting as a parasite, this parasite monitors for visitors with open online banking sessions or similar protected asset sites (such as brokerage or retirement planning sites).
#7 — ATM Network Compromises
The industry is seeing breaches at all stages in the payment process, including merchant terminals, the communication links between merchant acquirers, and (worst of all) core elements in ATM networks, according to Paul Kocher, Cryptography Research Institute’s president and chief scientist. “Once the perpetrators have the contents of magnetic stripes and the corresponding PINs, the data is then sold to people who write the data onto counterfeit cards and drain customers’ accounts,” Kocher observes. Because other fraud targets are strengthening their defenses while ATM networks remain a soft target, “we’re expecting ATM fraud losses to grow rapidly, and eventually financial institutions will be forced to switch the ATM infrastructure to chip cards,” he predicts.
#8 — Precision Malware Strikes
The most common defenses against malicious programs work by comparing programs against the signatures of known malware, says CRI’s Kocher. As a result, attackers have learned that they can breach high-value targets’ computer systems relatively easily, provided that their attack software does not spread so widely that antivirus companies get a copy and add it to their databases. “Attackers clearly have their crosshairs aimed at individuals with non-public information about publicly traded companies, sensitive government data, and systems involved in processing payment transactions,” Kocher states.
#9 — PIN-Based Attacks
For the past 10 years, Verizon Business has tracked metrics and statistics from IT investigative cases, including incident response, computer forensic and litigation support, across the globe. The Verizon Business’ just-issued 2009 Data Breach Investigation Report, shows more electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, says Bryan Sartin, director of forensics and investigative response at Verizon Business.
#10 — Account Manipulation
Aside from the five or six massive individual compromises that took place across the globe in 2008 is a vastly larger population of data breaches, also targeting financials, that garnered little public attention, Sartin notes. “Much of these involve unusually small populations of compromised records, yet massive fraud in terms of total dollar losses, resulting in significant impacts to the institutions affected. By and large, these cases appear in two forms: insider manipulation and application manipulation,” he says.
Insider manipulation involves organized crime groups infiltrating a target financial entity, not through a systems-based intrusion but via its personnel, Sartin explains. Application manipulation is somewhat different and involves moderately sophisticated application-based attack techniques.
#11 — Fraud Pattern Changes
Fraud patterns changed dramatically in 2008 as a result of both reduced percentage of successful fraudulent transactions and arrest of individuals involved in organized fraud activity, says Verizon Business’ Sartin. The new fraud patterns can be divided into two categories: random fraud patterns and global ATM transactions.
#12 — Foreclosure Prevention Schemes
Homeowners facing the threat of foreclosure and nearing eviction are contacted by these “foreclosure specialists” who promise to work out their loan problems or buy their home and offer the homeowners tenancy. “Unfortunately for the homeowner, the fraudster has no intention of following through with these promises and instead will manipulate the homeowner into deeding the property to them.”
#13 — Builder Bail-Out Fraud
This fraud involves securing funds for condominium conversion or planned community development properties that, unbeknownst to the investor (financial institution), will not be completed, says Butts of the Mortgage Asset Research Institute. The scams entail multiple purchases from would-be investors or false identities on fabricated loan transactions. “Investors are lured by photos or inspections of a few converted units used as models with promises of further rehabilitation of remaining units. Once the contracts are in place, the fraud continues as the perpetrator secures funding for the contracts,” Butts explains. However, she adds, no additional work is done and the investors and lenders are left with incomplete and, in some cases, uninhabitable dilapidated buildings.
For the complete article, click here.